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APPLICANT(S): GERHARD HOFFMANN ET AL 

ATTORNEY DOCKET NO.: POO, 1 996 

INTERNATIONAL APPLICATION NO: PCT/DE99/02443 

INTERNATIONAL FILING DATE: 04 AUGUST 1 999 

INVENTION: METHOD AND ARRANGEMENT FOR FORMING A SECRET 
COMMUNICATION KEY FOR A PREDETERMINED 
ASYMMETRIC CRYPTOGRAPHIC KEY PAIR 

10 



Assistant Commissioner for Patents, 
Washington D.C. 20231 



15 Sir: 

Applicants herewith amend the above-referenced PCT application, and 
request entry of the Amendment prior to examination on the United States 
Examination Phase. 



20 IN THE CLAIMS : 

On page 13: 

replace line 1 with -WHAT IS CLAIMED IS:-; 



Please replace original claims 1-20 with the following rewritten claims 1-20, 
25 referring to the mark-ups in Appendix A. 

1 . (Amended) A method for forming a secret communication key for a 
predetermined asymmetric cryptographic key pair which comprises a private key and 
a corresponding public key, by a computer, comprising the steps of: 

utilizing a prescribable initial value given a determination of said key pair; 

-1- 
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providing said initial value to a user; 

entering, by said user, said initial value into said computer; and 

forming said secret communication key upon utilization of said initial value, 

said secret communication key and said public key forming an asymmetric 

cryptographic communication key pair. 

2. (Amended) The method according to claim 1 , further comprising the steps 

of: 

supplying said initial value to a hash function; and 

determining, using a hash function value formed by said hash function, said 
key pair and said communication key pair. 

3. (Amended) The method according to claim 1 , further comprising the step 

of: 

including additional data characterizing said user when said key pair and said 
communication key pair are formed. 

4. (Amended) The method according to claim 1 , further comprising the steps 

of: 

determining a prime number based on said initial value, where, in an iterative 
method, the following steps are performed: 

checking said initial value or a previously checked number, producing 
a checked number, to determine whether said checked number is a prime number 
and (determination of primacy), and if said checked number is a prime, storing an 
index, which refers to a plurality of numbers, which have been checked with respect 
to their property of being prime; and 

selecting, when said number is not a prime number, another number 
based on said checked number and said index, said checked number being 
increased by a prescribed number; 

said method further comprising the steps of: 

-2- 
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erasing a used prime number after said communication key pair has been 
formed; and 

forming, witli said index and said initial value, a new communication key pair 
for forming said secret communication key. 

5 

5. (Amended) The method according to claim 4, wherein said determination 
of primacy for any given number is carried out according to the method of Miller- 
Rabin. 

10 6. (Amended) The method according to claim 1 wherein keys are formed 

according to the RSA method. 

7. (Amended) The method according to claim 2 wherein said hash function is 
selected from the group consisting of the methods MD-5 method, the MD-2 method, 

15 and the Data Encryption Standard (DES) method as a one-way function. 

8. (Amended) The method according to claim 1 , further comprising the step 

of: 

enciphering electronic data with said secret communication key. 

20 

9. (Amended) The method according to claim 1 , further comprising the step 

of: 

forming a digital signature via electronic data using said secret 
communication key. 

25 

10. (Amended) The method according to claim 1, further comprising the step 

of: 

authenticating data using said secret communication key. 
30 11. (Amended) An arrangement for forming a secret communication key for a 
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predetermined asymmetric cryptographic key pair which comprises a private key and 
a corresponding public key, comprising: 

an input device configured for entering an initial value by a user; and 
a processor connected to said input device, said processor configured to: 
determine, using said prescribable initial value, said asymmetric 
cryptographic key pair; 

accept entry of said initial value made available to said user; and 
form said secret communication key using said Initial value, where said 
secret communication key and said public key form a communication key pair, 

1 2. (Amended) The arrangement according to claim 1 1 , wherein said 
processor is configured such that said initial value is supplied to a hash function and 
a hash value formed by the hash function is used for determining said asymmetric 
cryptographic key pair and the communication key pair. 

1 3. (Amended) The arrangement according to claim 1 1 , wherein said 
processor is configured such that additional data characterizing said user are utilized 
during said formation of said asymmetric cryptographic key pair and said 
communication key pair. 

14. (Amended) The arrangement according to claim 1 1 , wherein said 
processor is configured to: 

determine a prime number based on said initial value, where, in an iterative 
method: 

said initial value or a previously checked number is checked, producing 
a checked number, to determine whether said checked number is a prime number 
(determination of primacy), and if said checked number is a prime, storing an index, 
which refers to a plurality of numbers, which have been checked with respect to their 
property of being prime; and 

select, when said number is not a prime number, another number 
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based on said checked number and said index, said checked number being 
increased by a prescribed number; 

said processor further being configured to: 

erase a used prime number after said communication key pair has been 
5 formed; and 

form, with said index and said initial value, a new communication key pair for 
forming said secret communication key. 

15. (Amended) The arrangement according to claim 14, wherein said 

10 processor is configured carry out said determination of primacy according to the 
method of Miller-Rabin. 

16. (Amended) The arrangement according to claim 1 1 , wherein said 
processor is configured to form keys according to the RSA method. 

15 

17. (Amended) The arrangement according to claim 12, wherein said 
processor is configured to produce said hash function according to a method 
selected from the group consisting of the MD-5 method, the MD-2 method, and the 
Data Encryption Standard (DES) method as one-way function. 

20 

18. (Amended) The arrangement according to claim 1 1 used for enciphering 
electronic data with said secret communication key. 

1 9. (Amended) The arrangement according to claim 1 1 used for forming a 
25 digital signature via electronic data upon utilization of said secret communication 

key. 

20. (Amended) The arrangement according to claim 1 1 used for 
authenticating data upon utilization of said secret communication key. 

30 
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REMARKS 



The present Amendment revises the specification and claims to conform to 
United States patent practice, before examination of the present PCT application in 

5 the United States National Examination Phase. Pursuant to 37 CFR 1 .125 (b), 
applicants have concurrently submitted a substitute specification, excluding the 
claims, and provided a marked-up copy. All of the changes are editorial and 
applicant believes no new matter is added thereby. The amendment, addition, 
and/or cancellation of claims is not intended to be a surrender of any of the subject 

10 matter of those claims. 



Early examination on the merits is respectfully requested. 
Submitted by, 



Mark Bergner 
Schiff Hardin & Waite 
Patent Department 
6600 Sears Tower 
233 South Wacker Drive 
Chicago, Illinois 60606-6473 
(312) 258-5779 
Attorneys for Applicant 
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TITLE 



METHOD AND ARRANGEMENT FOR FORMING A SECRET COMMUNICATION 
KEY FOR A PREDETERMINED ASYMMETRIC CRYPTOGRAPHIC KEY PAIR 



communication key for a predetermined asymmetric key pair. 

10 Description of the Related Art 

2 The formation of an asymmetric cryptographic key pair is known from C. 
Ruland, Informationssicherheit in Datennetzen, ISBN 3-89238-081-3, DATACOM- 
Verlag, page 79 - 85, 1993 (Ruland I), which discloses the RSA method for forming 
a cryptographic key pair, which comprises a secret (private) key and a 

15 corresponding public key. Only the user knows the private key, but the public key 
can be made known to all subscribers of a communication network. In this method, 
the user signs the data with his private key when a digital signature is prepared for 
protecting the authenticity and integrity of electronic data. The signed digital 
signature is verified upon utilization of the public key corresponding to the private 

2 0 key, so that the authenticity or integrity of the digital signature can be checked by all 
communication partners, who have access to the public key. The previously 
mentioned "Public-Key-Technology" is particularly applied in the digital 
communication within a computer network (a fixed number of computer units, which 
are connected to one another via a communication network). Given the method 

2 5 known from Ruland, the protection of the private key against unauthorized access of 
a third party is of critical importance for the security of the digital signature. 

3 It is known from D. Longley and M. Shain, Data & Computer Security, 
Dictionary of standards concepts and terms, Stockton Press, ISBN 0-333-42935-4, 
page 317, 1987 (Longley) to store the private key on an external medium for storing 

30 data, for example, a chip card, a disk etc., or on a hard disk, where key data are 
protected in that a personal identification code (Personal IdentificationJsJjjmb^^ 
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Field of the Invention 



The invention relates to a method and an arrangement for forming a secret 



1 




or a password, with which the key data that are respectively deciphered is used. It is 
necessary, however, to access the local resources of a user when these external 
media are used. This is not desired especially with respect to a network-oriented 
infrastructure of network computers or Java applications. These are defined as 
follows. A network computer is a computer that is networked with other computers; 
and a Java application is a program containing programs that are written in the 
programming language Java. The method known from Longley is disadvantageous 
In that the private key must be stored on an external medium, so that it Is very 
difficult to protect the private key against misuse. 

4 An overview regarding hash functions can be found in C. Ruland, 
Informationssicherheit in Datennetzen, ISBN 3-89238-081-3, DATACOM-Verlag, 
page 68 - 73, 1993 (Ruland II). A hash function is a function in which it is possible to 
calculate a corresponding input value to a given function value. Furthermore, an 
output character string having a fixed length is allocated to an arbitrarily long input 
character string. Moreover, additional properties can be requested for the hash 
function, such as collision freedom, which precludes the possibility of finding two 
different input character strings resulting in the same output character string. 
Examples of a hash function are the method according to the MD-2 standard, the 
method according to the MD-5 standard, the Data Encryption Standard (DES), which 
is carried out without utilizing a key, or any other arbitrary hash function. 

5 A method referred to as a "Miller-Rabin" can determine whether a number is 
prime or not. Such a method is known from A. J. Menezes, P. van Oorschot and S. 
Vanstone, Handbook of Applied Cryptography, CRC Press, ISBN 0-8493-8523-7, 
page 138 - 140, 1997 (Menezes). 



SUMMARY OF THE INVENTION 

6 An object of the invention is to form a secret communication key for a 
predetermined asymmetric cryptographic key pair, where the private key of the 
asymmetric key pair must not be stored permanently. 

7 The problem is solved by a method for forming a secret communication key 
for a predetermined asymmetric cryptographic key pair which comprises a private 
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key and a corresponding public key, by a computer, comprising the steps of utilizing 
a prescribable initial value given a determination of the key pair; providing the initial 
value to a user; entering, by the user, the initial value into the computer; and forming 
the secret communication key upon utilization of the initial value, the secret 
communication key and the public key forming an asymmetric cryptographic 
communication key pair. 

8 The problem is also solved by an arrangement comprising an input device 
configured for entering an Initial value by a user; and a processor connected to the 
input device, the processor configured to implement the above method. 

9 Given the method for forming a secret communication key for a 
predetermined asymmetric cryptographic key pair, which comprises a private key 
and a corresponding public key, a prescribable initial value (that is available to a 
user) is used with respect to the determination of the key pair. The user enters the 
initial value into the computer and the secret communication key is formed upon 
utilization of the initial value. The secret communication key and the public key form 
a communication key pair, which is not to be confused with the predetermined 
asymmetric cryptographic key pair. 

1 0 The arrangement for forming a secret communication key for a predetermined 
asymmetric cryptographic key pair, which comprises a private key and a 
corresponding public key, has a processor, which is set up such that the following 
steps can be carried out: 

- a prescribed initial value is used for determining the key pair, 

- the user enters the initial value into the computer, 

- the secret communication key is formed upon utilization of the initial value, 
where the secret communication key and the public key form a communication key 
pair. 

1 1 Furthermore, an input device is provided for entering the initial value by the 
user. 

12 As a result of the invention, it is possible to erase the private key without 
having to forego the intense cryptography of the "Public-Key-Technology". 
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Concretely, the initial value can be regarded as a personal identification code 
(Personal Identification Number- PIN) or as a password that is prescribed by the 
user or that is centrally prescribed and that is entered by the user into the computer. 
After the password or the PIN has been entered, the secret communication key, i.e., 
the key that is of the same name compared to the private key, is formed, which 
forms a communication key pair together with the public key (i.e., the communication 
key pair comprises the public key and the secret communication key), upon 
utilization of the password or of the PIN as an initial value. 

13 In this way, a fusion of the password technology customary to the user of a 
conventional computer network or of a conventional computer with the intense 
cryptology is inventively achieved without considerable efforts being necessary in 
order to permanently store private key material. 

14 Preferred embodiments of the method and associated apparatus for 
implementing the method are provided as follows. The inventive method may further 
comprise the steps of: supplying the initial value to a hash function; and determining, 
using a hash function value formed by the hash function, the key pair and the 
communication key pair. The formation of the communication key pair may further 
include additional data characterizing the user. The method may further comprise 
the steps of: determining a prime number based on the initial value, where, in an 
iterative method, the following steps are performed: 1 ) checking the initial value or a 
previously checked number, producing a checked number, to determine whether the 
checked number is a prime number and (determination of primacy), and if the 
checked number is a prime, storing an index, which refers to a plurality of numbers, 
which have been checked with respect to their property of being prime; and 2) 
selecting, when the number is not a prime number, another number based on the 
checked number and the index, the checked number being increased by a 
prescribed number; where the method further comprises the steps of: erasing a used 
prime number after the communication key pair has been formed; and forming, with 
the index and the initial value, a new communication key pair for forming the secret 
communication key. 
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15 The inventive methods and associated apparatus are described in more detail 
below. 

16 In an embodiment of the invention, a hash function is applied to the initial 
value, providing a value being formed that is finally used for the key generation. 
Furthermore, additional data, which preferably characterize the user himself, can be 
used during the key generation. The RSA method for the key generation is 
preferably used for forming the cryptographic key. The method according to the MD- 
5 standard, the MD-2 standard or the Data Encryption Standard (DES) can be used 
as a hash function. The communication key pair can be used for enciphering or for 
securing the integrity of electronic data, for forming a digital signature via electronic 
data or for authenticating a user- generally for any arbitrary cryptographic operation 
using the "Public-Key-Technology" that uses the formed communication key pair. 

17 For accelerating the method, it is advantageous in an embodiment to store an 
index (accelerating code) when the private key is formed. The accelerating code 
indicates how often numbers - proceeding from the initial value - have been checked 
to the effect whether or not the respective number is a prime number. The method 
according to Miller-Rabin is preferably used for checking the property whether a 
number represents a prime number. 

BRIEF DESCRIPTION OF THE DRAWINGS 

18 An exemplary embodiment of the invention is shown in the Figures and is 
subsequently explained in greater detail. 

Figure 1 is a flow diagram representing the method steps of the exemplary 
embodiment; 

Figure 2 is a block diagram representing a computer network having a plurality 

of computers coupled to one another; and 
Figure 3 is a symbolic block drawing representing the course of action for 

determining a prime number on the basis of an initial value. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 
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19 Figure 2 shows a plurality of computers 200, 210, 220, 230, 240, 250, which 
are connected to one another via a communication network 260. Each computer 

200, 210, 220, 230, 240, 250 respectively has a plurality of input devices, i.e., a 
keyboard 206, 216, 226, 236, 246, 256, a mouse 207, 217, 227, 237, 247, 257, a 
scanner (not shown) or a camera (not shown). The entered information is supplied 
to a memory 202, 212, 222, 232, 242, 252 via the respective input device via an 
input interface/output interface 201 , 21 1 , 221 , 231 , 241 , 251 and is stored. The 202, 
2212, 222, 232, 242, 252 memory is connected to the input interface/output interface 

201 , 21 1 , 221 , 231 , 241 , 251 via a bus 204, 214, 224, 234, 254. A processor 203, 
213, 223, 233, 243, 253, which is set up such that the following methods steps can 
be carried out, is also connected to the bus 204, 214, 224, 234, 254. 

20 The computer 200, 210, 220, 230, 240, 250 communicate via the 
communication network 260 according to the Transport Control Protocol/jnternet 
Protocol (TCP/IP). The communication network 260 also contains a certification 
unit 270 with which a certificate is prepared respectively for a public key, so that the 
public key is trustworthy for a communication on the basis of the "Public-Key- 
Technology". A user 280 enters an arbitrary prescribable word (PIN, password), 
which is only known to the user, into a first computer 200 (step 101 , compare Figure 
1). 

21 According to the RSA method, the first computer 200 generates an 
asymmetric cryptographic key pair, as described in the following. The value 102 
entered by the user 280 and additional data 103 characterizing the user 280, such 
as user name, personal number, terminal address etc., are supplied to a hash 
function (step 104). The hash function is defined and has properties as described 
above. The value formed by the hash function is used as a base value BW for 
forming two prime numbers, as symbolically shown in Figure 3. As shown in Figure 
3, it is respectively checked for a value Wi (i = 1 , n) in an iterative method, on the 
basis of the base value BW, whether or not the respective value represents a prime 
number (step 301). 

22 The method according to Miller-Rabin is utilized as method for checking the 
property prime for a number (see Menezes). If the number is determined to not be 
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prime, the number is increased by a prescribable value, preferably by the value 2 
(step 302) and the test with respect to the property "prime" is repeated (step 301 ). 
This course of action is repeated until two prime numbers - a first prime number p 
and a second prime number q - have been determined. 

23 A number, referred to as an index, indicates how often - on the basis of the 
base value BW- the number must be increased by the prescribed value until the first 
prime number p or the second prime number q is obtained. The result of the method 
shown in Figure 3 is two prime numbers p and q, which are used for the key 
generation according to the RSA method (step 105). The prime numbers p and q 
normally have a length of a multiple of 100 bits. A modulus n is formed from the 
prime numbers p and q according to the following rule: 

n = p*q. (1) 

24 Furthermore, an intermediate variable <p (n) is formed according to the 
following rule: 

CP (n) = (p-1) * (q-1). (2) 

25 A secret key d is now selected such that the secret key d is relatively prime 
with respect to cp (n). A public key e is determined such that the following rule is 
fulfilled: 

e * d mod cp (n) = 1 . (3) 

26 The value d is the private key and is not allowed to be made known to a third 
party. A private key d (step 106) and a public key e (step 107) have been formed as 
a result of the key generation (key 105). The two keys d, e form a cryptographic key 
pair corresponding to one another, this key pair being used for an arbitrary 
cryptographic operation, i.e., for enciphering, deciphering, for a digital signature, or 
for authenticating (step 108). 
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27 After the key pair d, e has been formed according to the above-described 
method, the private key d is erased. The public key e is supplied to the certification 
entity 280, A certificate Certe is formed by the certification entity 280 via the public 
key e and the certificate Certe of the public key e is stored in a directory 290 that can 
be accessed by the public. Therefore, each communication participant in the 
communication network 280 can access the public key e via the certificate Certe of 
the public key e. The secrete key d corresponding to the public key e is erased in 
the first computer 200. 

28 Every time that the user 280 wishes to initial a communication on the basis of 
the key pair or when the user 280 wishes to carry out a cryptographic operation 
upon utilization of such a key pair, the user 280 enters his initial value (PIN, 
password) into the first computer 200 and the initial value 102 (as described above), 
in turn, is provided with additional data 103. It is then subjected to a hash function 
(step 1 04) and, on the basis of the base value BW, two prime numbers p and q are 
determined or a stored index (as described above) is read out or is also entered by 
the user 280 and a secret communication key is formed from it, which, however, 
corresponds to the private previously formed key d, which has been erased again. 

29 In this way, a communication key pair has been formed, which comprises the 
secret communication key and the corresponding public key e. For a 
communication session, a user can thus respectively immediately generate the 
secret communication code, so that it is possible to use intense "Public-Key- 
Technology" without having to store the secret key on a chip card. The generated 
communication key pair d, e is used for enciphering plaintext 109 with the public key 
e and for deciphering the electronic, enciphered data 1 10 with the secret 
communication key. 

30 Figure 1 symbolically shows the processing of plaintext 109, i.e., electronic 
data 109 that can be read by everybody, as well as enciphered electronic data 110, 
where the communication device is respectively described by an arrow toward or 
from the block representing a cryptographic operation 108. 
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31 The enciphering or, respectively, deciphering is performed according to the 
following rules: 



m' 



f mod n = c, 



(4) 



where 



- m refers to a quantity of 51 2 bit of electronic data 1 09 to be enciphered, 

- c refers to enciphered electronic data 110. 

32 The deciphering of the enciphered electronic data c is performed according to 
the following rule: 



33 A few alternatives of the above-described exemplary embodiment are 
explained as follows. The method can be used for enciphering, for securing integrity 
and for a digital signature of electronic data. Furthermore, the invention can be 
utilized in the field of secure electronic mail systems. The user must not necessarily 
enter the initial value 102 during the generation of the key pair at the beginning of 
the method, but a central unit generating the key pair can prescribe it to the user. 
Therefore, the user must merely remember a password or a PIN, and it is no longer 
necessary to securely store a secret cryptographic key, for example, on a chip card, 
which is associated with corresponding risks and with considerable outlay. Instead 
of a hash function, any arbitrary one-way function can be used in the framework of 
the invention. 

34 The above-described method and arrangement are illustrative of the 
principles of the present invention. Numerous modifications and adaptations will be 
readily apparent to those skilled in this art without departing from the spirit and 
scope of the present invention. 



m 



= c"* mod n. 



(5) 
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ABSTRACT 

35 After a key pair with a public key and a corresponding private key has been 
determined on the basis of an initial value, the initial value is nnade available to a 
user. The private key can then be erased. When the user wishes to carry out a 
cryptographic operation based on the "Public-Key-Technology", the user enters the 
initial value into a computer and, upon utilization of the initial value, a secret 
communication key is formed, which corresponds to the private key that had been 
previously formed but was then erased. 
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METHOD AND ARRANGEMENT FOR FORMING A SECRET 
COMMUNICATION KEY FOR A PREDETERMINED ASYMMETRIC 
CRYPTOGRAPHIC KEY PAIR 

The invention relates to a method and an arrangement for forming a secret 
5 communication key for a predetermined asymmetric key pair. 

The formation of an asymmetric cryptographic key pair is known from [1]. 

Given this method, the RS A method for forming a cryptographic key pair, which 
comprises a secret key and a corresponding public key, is formed. 

Only the user knows the secret key; the public key can be made known to all 
1 0 subscribers of a communication network. 

The user signs the data with his secret key when a digital signature is prepared for 
protecting the authenticity and integrity of electronic data. The signed digital 
signature is verified upon utilization of the pubUc key corresponding to the secret key, 
so that the authenticity or, respectively, integrity of the digital signature can be 
1 5 checked by all communication partners, which have access to the public key. 

The aforementioned what is referred to as 'Tublic-Key-Technology" is particularly 
applied in the digital communication within a computer network (a fixed number of 
computer units, which are connected to one another via a communication network). 

Given the method known from [1], the protection of the secret key against 
2 0 unauthorized access of a third party is of critical importance for the security of the 
digital signature. 
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It is known from [2] to store the secret key on an external medium for storing data, for 
example a chip card, a disk etc., or on a hard disk, whereby key data are protected in 
that a personal identification code (Personal Identification Number, PIN) or a 
password, with which the key data are respectively deciphered is used. It is necessary, 
5 however, to access the local resources of a user when these external media are used. 
This is not desired especially with respect to a network-oriented infrastructure of 
network computers or Java applications. 

A network computer is a computer, which is networked with other computers. 

A Java application is a program containing programs that are written in the 
1 0 programming language Java. 

Therefore, the method known from [2] is associated with the disadvantage that the 
secret key must be stored on an external medium, so that it is very difficult to protect 
the secret key against misuse. 

An overview regarding hash fimctions can be found in [3]. A hash ftinction is a 
1 5 function, wherein it is possible to calculate a corresponding input value to a given 
function value. Furthermore, an output character string having a fixed length is 
allocated to an arbitrarily long input character string. Moreover, additional properties 
can be requested for the hash ftinction. Such an additional property is collision 
freedom, i.e., it is not allowed to be possible to find two different input character 
2 0 strings resulting in the same output character string. 

Examples of a hash function are the method according to the MD-2 standard, the 
method according to the MD-5 standard, the Data Encryption Standard (DES), which 
is carried out without utilizing a key, or any other arbitrary hash function. 
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A method referred to as a method according to Miller-Rabin, wherein it can be 
checked for a number whether it is a prime number, is known from [4]. 

Therefore, an object of the invention is to form a secret communication key for a 
predetermined asymmetric cryptographic key pair, wherein the secret key of the 
5 asymmetric key pair must not be stored permanently. 

The problem is solved by the method and by the arrangement with the features of the 
independent patent claims. 

Given the method for forming a secret communication key for a predetermined 
asymmetric cryptographic key pair, which comprises a secret key and a corresponding 
1 0 public key, a prescribable initial value has been used with respect to the determination 
of the key pair. The initial value is available to a user. The user enters the initial 
value into the computer and the secret communication key is formed upon utilization 
of the initial value. The secret communication key and the public key form a 
communication key pair. 

1 5 The arrangement for forming a secret communication key for a predetermined 

asymmetric cryptographic key pair, which comprises a secret key and a corresponding 
public key, has a processor, which is set up such that the following steps can be 
carried out; 

- a prescribed initial value has been used for determining the key pair, 
2 0 - the user enters the initial value into the computer, 

- the secret communication key is formed upon utilization of the initial value, whereby 
the secret communication key and the public key form a communication key pair. 
Furthermore, an input means is provided for entering the initial value by the user. 

As a result of the invention, it is possible to erase the secret key without having to 
2 5 forego the intense cryptography of the "Public-Key-Technology". 



4 

Concretely, the initial value can be regarded as a personal identification code 
(Personal Identification Number PIN) or as a password that is prescribed by the user 
or that is centrally prescribed and that is entered by the user into the computer. After 
the password or, respectively, the PIN has been entered, the secret communication 
5 key, i.e. the key that is of the same name compared to the secret key, is formed, which 
forms a key pair, the communication key pair, together with the public key, upon 
utilization of the the [sic] password or, respectively, of the PIN as an initial value, 
[sic] 

In this way, a fusion of the password technology customary to the user of a 
1 0 conventional computer network or, respectively, of a conventional computer with the 
intense cryptology is inventively achieved without considerable efforts being 
necessary in order to permanently store secret key material. 

Preferred embodiments of the invention derive from the dependent claims. 

In an embodiment of the invention, a hash function is applied to the initial value, 
1 5 whereby a value is formed that is finally used for the key generation. 

Furthermore, additional data, which preferably characterize the user himself, can be 
used during the key generation. 

The RS A method for the key generation is preferably used for forming the 
cryptographic key. 

2 0 The method according to the MD-5 standard, the MD-2 standard or the Data 
Encryption Standard (DES) can be used as hash function can be used [sic]. 

The communication key pair can be used for enciphering or for securing the integrity 
of electronic data, for forming a digital signature via electronic data or for 
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authenticating a user, generally for any arbitrary cryptographic operation using the 
"Public-Key-Technology", whereby the formed communication key pair is utilized. 

For accelerating the method, it is advantageous in an embodiment to store an index 
when the secrete key is formed, which index is referred to as accelerating code in the 
5 following. The accelerating code indicates how often numbers - proceeding from the 
initial value - have been checked to the effect whether or not the respective number is 
a prime number. 

The method according to Miller-Rabin is preferably used for checking the property 
whether a number represents a prime number. 

10 An exemplary embodiment of the invention is shown in the Figures and is 
subsequently explained in greater detail. 

Shown are 

Figure 1 a flow diagram representing the method steps of the exemplary 
~- embodiment; 

1 5 Eigmsi^ a drawing representing a computer network having a plurality of 
computers coupled to one another; 

Eigure3^ a symbolic drawing representing the course of action for determining a 
prime number on the basis of an initial value. 

Figure 2 shows a plurality of computers 200, 210, 220, 230, 240, 250, which are 
2 0 connected to one another via a communication network 260. Each computer 200, 
210, 220, 230, 240, 250 respectively has a plurality of input means, i.e. a keyboard 
206, 216, 226, 236, 246, 256, a mouse 207, 217, 227, 237, 247, 257, a scanner (not 
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shown) or a camera (not shown). The entered information is supplied to a memory 
202, 212, 222, 232, 242, 252 via the respective input means via an input 
interface/output interface 201, 21 1, 221, 231, 241, 251 and is stored. The 202, 2212, 

222, 232, 242, 252 memory is connected to the input interface/output interface 201, 
5 211, 221, 231, 241, 251 via a bus 204, 214, 224, 234, 254. A processor 203, 213, 

223, 233, 243, 253, which is set up such that the following methods steps can be 
carried out, is also connected to the bus 204, 214, 224, 234, 254, 

The computer 200, 210, 220, 230, 240, 250 communicate via the communication 
network 260 according to the Transport Control Protocol/Intemet Protocol (TCP/IP). 

10 

The communication network 260 also contains a certification unit 270 with which a - 
certificate is prepared respectively for a public key, so that the public key is 
trustworthy for a communication on the basis of the "Public-Key-Technology. 

A user 280 enters an arbitrary prescribable word (PIN, password), which is only 
15 known to the user, into a first computer 200 (step 101, compare Figure 1). 

According to the RS A method, the first computer 200 generates an asymmetric 
cryptographic key pair, as described in the following. 

The value 102 entered by the user 280 and additional data 103 characterizing the user 
280, such as user name, personal number, terminal address etc., are supplied to a hash 
2 0 function (step 104). 

[3] contains an overview regarding hash functions. A hash function is a function, 
wherein it is not possible to calculate a corresponding input value to a given function 
value. Furthermore, an output character string having a fixed length is allocated to an 
arbitrarily long input character string. Moreover, additional properties can be 
2 5 requested for the hash function. Such an additional property is collision freedom, i.e., 



it is not allowed to be possible to find two different input character strings resulting in 
the same output character string. 

Examples of a hash function are the method according to the MD-2 standard, the 
method according to the MD-5 standard, the Data Encryption Standard (DES), which 
is carried out without utilizing a key, or any other arbitrary hash function. 

The value formed by the hash function is used as base value BW for forming two 
prime numbers, as symbolically shown in Figure 3. 

As shown in Figure 3, it is respectively checked for a value Wi (i = 1, n) in an 
iterative method, on the basis of the base value BW, whether or not the respective 
value represents a prime number (step 301). 

The method according to Miller-Rabin is utilized as method for checking the property 
prime for a number (see [4]). 

If it is determined for a number that the number does not represent a prime number, 
the number is increased by a prescribable value, preferably by the value 2 (step 302) 
and the test with respect to the property "prime" is repeated (step 301). This course of 
action is repeated until two prime numbers - a first prime number P and a second 
prime number q - have been determined. 

Referred to as index is a number indicating how often - on the basis of the base value 
P W [sic] - the number must be increased by the prescribed value until the first prime 
number p or, respectively, the second prime number q is obtained. 

The result of the method shown in Figure 3 is two prime numbers p and q, which are 
used for the key generation according to the RSA method (step 105). 
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The prime numbers p and q normally have a length of a plurality of 100 bit. 

A modulus n is formed from the prime numbers p and q according to the following 
rule: 



n = p*q. 

Furthermore, an intermediate variable <p(n) is formed according to the following rule: 
q>(n) = (p-l) * (q-1). (2) 

A secret key d is now selected such that the secret key d is relatively prime with 
respect to <p (n). A public key e is determined such that the following rule is fulfilled: 

e * d mop (p(n) =1. (3) 

The value d is the secret key and is not allowed to make known to a third party. 

Therefore, a private key d (step 106) and a public key e (step 107) have been formed 
as a result of the key generation (key 105). 



The two keys d, e form a cryptographic key pair corresponding to one another, this 
key pair being used for an arbitrary cryptographic operation, i.e. for enciphering, 
deciphering, for the digital signature or for authenticating (step 108). 

After the key pair d, e has been formed according to the above-described method, the 
secret key d is erased. 
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The public key e is supplied to the certification entity 280. A certificate Certe is 
formed by the certification entity 280 via the public key e and the certificate Certe of 
the public key e is stored in a directory 290 that can be accessed by the public. 

Therefore, each communication participant in the communication network 280 can 
5 access the public key e via the certificate Certe of the public key e. 

The secrete key d corresponding to the public key e is erased in the first computer 
200. 

Every time when the user 280 wishes to initial a communication on the basis of the 
key pair or, respectively, when the user 280 wishes to carry out a cryptographic 
operation upon utilization of such a key pair, the user 208 [sic] enters his initial value 
(PIN, password) into the first computer 200 and the initial value 102 (as described 
above), in turn, is provided with additional data 103, is subjected to a hash function 
(step 104) and, on the basis of the base value BW, two prime numbers p and q are 
determined or a stored index (as described above) is read out or is also entered by the 
user 280 and a secrete communication key is formed therefirom, which, however, 
corresponds to the secrete, previously formed key d, which has been erased again. 

In this way, a communication key pair has been formed, which comprises the secrete 
communication key and the corresponding public key e. For a communication 
2 0 session, a user can thus respectively currently generate the secrete communication 

code, so that it is possible to use intense "Public-Key-Technology" without having to 
store the secrete key on a chip card. 

The thus generated communication key pair d, e is used for enciphering plaintext 109 
with the public key e and for deciphering the electronic, enciphered data 1 10 with the 
2 5 secrete communication key. 
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Figure 1 symbolically shows the processing of plaintext 109, i.e., electronic data 109 
that can be read by everybody, as well as enciphered electronic data 110, whereby the 
communication device respectively describes by an arrow toward or, respectively, 
from the block representing a cryptographic operation 108. [sic] 

5 The enciphering or, respectively, deciphering is performed according to the following 
rules: 

m^ mod n = c, 
whereby 

- m refers to a quantity of 512 bit of electronic data 109 to be enciphered, 
10 - c refers to enciphered electronic data 1 10. 

The deciphering of the enciphered electronic data c is performed according to the 
following rule: 

m = c"^ mod n. (5) 

A few alternatives of the above-described exemplary embodiment are explained in the 
1 5 following: 

The method can be used for enciphering, for securing integrity and for the digital 
signature of electronic data. 

Furthermore, the invention can be utilized in the field of secure electronic mail 
systems. 
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The user must not necessarily enter the initial value 102 during the generation of the 
key pair at the beginning of the method, but a central unit generating the key pair can 
prescribe it to the user. 



Therefore, the user must merely remember a password or, respectively, a PIN and it is 
no longer necessary to securely store a secrete cryptographic key, for example on a 
chip card, this being associated with corresponding risks and with considerable outlay. 

Instead of a hash function, any arbitrary one-way function can be used in the 
framework of the invention. 
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Patent claims 

1 . Method for forming a secrete communication key for a predetermined asymmetric 
cryptographic key pair, which comprises a secrete key and a corresponding public key, 
by a computer, 

5 a) whereby a prescribable initial value has been used given the determination of the 
key pair, 

b) whereby the initial value is made available to a user, 

c) whereby the user enters the initial value into the computer, 

d) whereby the secrete communication key is formed upon utiUzation of the initial 

1 0 value, whereby the secrete communication key and the public key form an asymmetric 
cryptographic communication key pair. 

2. Method according to claim 1, 

whereby the initial value is supplied to a hash function and the value formed by the 
hash function is used for determining the key pair and the communication key pair. 

15 3. Method according to claim 1 or 2, 

whereby additional data characterizing the user are utilized when the key pair and the 
communication key pair are formed. 

4. Method according to one of the claims 1 to 3, 

- whereby a prime number is determined on the basis of the initial value, whereby, in 
2 0 an iterative method, it is checked whether the respectively checked number is a prime 

number and when this is the case, an index is stored, which refers to a plurality of 
numbers, which have been checked with respect to their property whether they are a 
prime number, is stored [sic], 

- otherwise, another number is selected on the basis of the checked number and the 
2 5 index is increased by a prescribed number. 
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- whereby the used prime number is erased after the communication key pair has been 
formed, 

whereby the index and the initial value are respectively used for forming a new 
communication key pair for forming the secrete communication key. 

5. Method according to claim 4, 

whereby the test, whether a number is a prime number, is carried out according to the 
method of Miller-Rabin. 

6. Method according to one of the claims 1 to 5, 
whereby the keys are formed according to the RSA method. 

7. Method according to one of the claims 2 to 6, 
whereby the hash function is one of the following methods: 

- MD-5 method, 

- MD-2 method, 

- the method according to the Data Encryption Standard (DES) as one-way function. 

8. Method according to one of the claims 1 to 7, 

used for enciphering electronic data with the secrete communication key, 

9. Method according to one of the claims 1 to 7, 

used for forming a digital signature via electronic data upon utilization of the secrete 
communication key. 

10. Method according to one of the claims 1 to 7, 

used for authenticating upon utilization of the secrete communication key. 

1 1 . Arrangement for forming a secrete communication key for a predetermined 
asymmetric cryptographic key pair, which comprises a secrete key and a 
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corresponding public key, with a processor being set up such that the following steps 
can be carried out: 

- the key pair has been determined upon utilization of a prescribable initial value, 

- the initial value is made available to a user, 

5 - the user enters the initial value into the computer, 

- the secrete communication key is formed upon utilization of the initial value, 
whereby the secrete communication key and the public key form a communication 
key pair, and 

with an input means for entering the initial value by the user. 

10 12. Arrangement according to claim 11, 

whereby the processor is set up such that the initial value is supplied to a hash 
function and the value formed by the hash function is used for determining the key 
pair and the communication key pair, 

13. Arrangement according to claim 11 or 12, 

1 5 whereby the processor is set up such that additional data characterizing the user are 
utilized during the formation of the key pair and the communication key pair. 

14. Arrangement according to one of the claims 1 1 to 13, 
whereby the processor is set up such that 

- a prime number is determined on the basis of the initial value, whereby, in an 

2 0 iterative method, it is checked whether the respectively checked number is a prime 
number and when this is the case, an index is stored, which refers to a plurality of 
numbers, which have been checked with respect to their property whether they are a 
prime number, is stored [sic], 

- otherwise, another number is selected on the basis of the checked number and the 
2 5 index is increased by a prescribed number, 

- whereby the used prime number is erased after the communication key pair has been 
formed, 
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- whereby the index and the initial value are respectively used for forming a new 
communication key pair for forming the secrete communication key, 

15. Arrangement according to claim 14, 

whereby the processor is set up such that the test, whether a number is a prime 
number, is performed according to the method of Miller-Rabin. 

16. Arrangement according to one of the claims 1 1 to 15, 

whereby the processor is set up such that the keys are formed according to the RSA 
method. 

17. Arrangement according to one of the claims 12 to 16, 

whereby the processor is set up such that the hash function is one of the following 
methods 

. Method according to one of the claims 2 to 6, 

whereby the hash function is one of the following methods: 

- MD-5 method, 

- MD-2 method, 

- the method according to the Data Encryption Standard (DES) as one-way function. 

18. Method according to one of the claims 1 1 to 17, 

used for enciphering electronic data with the secrete communication key. 

19. Arrangement according to one of the claims 1 1 to 17, 

used for forming a digital signature via electronic data upon utilization of the secrete 
communication key. 

20. Arrangement according to one of the claims 1 1 to 17, 

used for authenticating upon utilization of the secrete communication key. 
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Abstract 

Method and arrangement for forming a secrete communication key for a 
predetermined asymmetric cryptographic key pair 

After a key pair with a public key and a corresponding secrete key has been 
5 determined on the basis of an initial value, the initial value is made available to a user. 
The secrete key can be erased. When the user wishes to carry out a cryptographic 
operation based on the "Public-Key-Technology\ the user enters the initial value into 
a computer and, upon utilization of the initial value, a secrete communication key is 
formed, which corresponds to the secrete key previously formed but erased since. 
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Ich beanspruche hiermit gemass Absatz 35 der Zivil- 
prozessordnung der Vereinigten Staaten, Paragraph 
120, den Vorzug aller unten aufgefQhrten Anmel- 
dungen und falls der Gegenstand aus jedem An- 
spruch dieser Anmeldung nicht in einer fruheren ame- 
rikanischen Patentanmeldung laut dem ersten Para- 
graphen des Absatzes 35 der ZivilprozeSordnung der 
Vereinigten Staaten, Paragraph 122 offenbart ist, 
erkenne ich gemass Absatz 37, Bundesgesetzbuch, 
Paragraph 1.56(a) meine Pflicht zur Offenbarung von 
informationen an, die zwischen dem Anmeldedatum 
der fruheren Anmeldung und dem nationalen oder 
PCT internationalen Anmeldedatum dieser Anmel- 
dung bekannt geworden sind. 



I hereby claim the benefit under Title 35. United Sta- 
tes Code. §120 of any United States application(s) 
listed below and, insofar as the subject matter of each 
of the claims of this application is not disclosed in the 
prior United States application in the manner provided 
by the first paragraph of Title 35, United States Code 
§122, 1 acknowledge the duty to disclose material 
information as defined in Title 37, Code of Federal 
Regulations, §1. 56(a) which occured between the 
filing date of the prior application and the national or 
PCT international filing date of this application. 



(Application Serial No.) 
(Anmeldeseriennummer) 



(Application Serial No.) 
(Anmeldeseriennummer) 



(Filing Date) 
(Anmeldedatum) 



(Filing Date) 
(Anmeldedatum) 



(Status) 

(patentiert, anhangig, 
aufgegeben) 



(Status) 

(patented, pending, 
abandoned) 



(Status) 

(patentiert, anhangig, 
aufgeben) 



(Status) 

(patented, pending, 
abandoned) 



Ich erklare hiermit, dass alle von mir in der vorliegen- 
den Erklarung gemachten Angaben nach meinem 
besten Wissen und Gewissen der vollen Wahrheit 
entsprechen, und dass ich diese eidesstattliche Erkla- 
rung in Kenntnis dessen abgebe, dass wissentlich und 
vorsatzlich falsche Angaben gemass Paragraph 1001, 
Absatz 18 der Zivilprozessordnung der Vereinigten 
Staaten von Amerika mit Geldstrafe belegt und/oder 
Gefangnis bestraft werden koennen, und dass derartig 
wissentlich und vorsatzlich falsche Angaben die GQl- 
tigkeit der vorliegenden Patentanmeldung oder eines 
darauf erteilten Patentes gefahrden kbnnen. 



1 hereby declare that all statements made herein of 
my own knowledge are true and that all statements 
made on information and belief are believed to be 
true, and further that these statements were made 
with the knowledge that willful false statements and 
the like so made are punishable by fine or imprison- 
ment, or both, under Section 1001 of Title 18 of the 
United States Code and that such willful false state- 
ments may Jeopardize the validity of the application or 
any patent issued thereon. 
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Nachdem ein Schtvisselpaar mit einem offentlichen Schlussel 
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einem Startwert ermittelt wurde, wird der Startwert einem Benutzer 
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gebildet, der dem zuvor gebildeten, seitdem geldschten geheimen 
Schlussel entspricht. 
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